Sunday, December 8, 2013

ALEC's student privacy bill and the hydra-headed data predators

Additional UPDATE: According to Hadi Partovi, founder of Code.org, Mark Zuckerberg had nothing to do with starting the organization. Hadi is also in the process of revising the privacy agreement for Code.org.

UPDATE: Turns out NYC DOE intends to work with with Code.org (see below) whose sample contract demands 4-6 years of personal student data. The huge number of well-funded private interests eager to pirate your child's data or enable others to do so is a many headed hydra which seems to grow new heads every time another is chopped off.As recently reported in Education Week , the American Legislative Exchange Council (or ALEC), the conservative advocacy group, is jumping on the student privacy bandwagon and has written a “model” bill for state legislators to adopt, based on an Oklahoma privacy bill that was recently passed.

Even at first glance, I realized this bill was inadequate because it doesn’t provide for any parental consent before children’s personal data is handed over to vendors, and noted this to the EdWeek reporter:

Leonie Haimson, a New York City-based parent and public schools advocate, also questioned the wisdom of not providing families more say in whether and how their children’s information is being shared.

“To me, it sounds like [the bill is intended] to assuage the fears of parents who want there to be something done to protect their children’s data, but who aren’t really informed about the issues,” Ms. Haimson said.

Bills that contain more specifics but don’t take as comprehensive an approach have gained some traction in other states. In New York, for example, Ms. Haimson and her nonprofit organization, Class Size Matters, have helped push more-targeted bills crafted to stop the release of sensitive student information without parental consent and to allow parents the opportunity to opt out of data-sharing efforts involving third-party vendors.

Even State Rep. David Brumbaugh, the author of the Oklahoma student privacy bill, admitted as such in the article:

For his part, Mr. Brumbaugh, the Oklahoma lawmaker, said his state’s efforts should be construed as a first step. “We want to shore [students’ privacy] up even more,” he said, pointing to parental-consent provisions as one area where the state could see further action. “This is all new territory.”

Any bill that doesn’t require parental consent before personal student data is shared should not be acceptable to either conservatives or liberals; this is what the federal student privacy protection act known as FERPA required before the US Department of Education rewrote and eviscerated its protections in 2008 and 2011.

Since then I have taken a closer look at the ALEC privacy bill, and see other weaknesses:

·It wouldn’t prevent states from sharing personal student data with contractors or between agencies without consent;

·It would enable states to make whatever personal data they please available to researchers;

·It calls for only such parental notification already required under federal or state law;

·It would allow for all sorts of involuntary data disclosures for students transferring out of state or “taking a national or multistate assessment”;

·It would encourage the outsourcing of data to private vendors or organizations, as long as there are unspecified provisions made to “safeguard privacy and security and include penalties for noncompliance”.

Though
the bill also bars disclosure of medical and criminal records, it would NOT bar
the involuntary disclosure of highly sensitive disciplinary or most likely
children’s disabilities and health conditions, as specified in their 504
designations and accommodations.

In
short, nothing in this bill would prevent agencies from doing
everything the NY State Education is currently planning, in sharing extremely
confidential student data with inBloom Inc., without parental consent.

In
short, I suspect that ALEC is merely acting to try to pre-empt stronger bills
that would actually protect student privacy, such as A.6059A and A.7872passed
by the NY State Assembly last session, and introduced this year in the Senate
as S. 5932 and S. 5930 .This suspicion is reinforced by other
draft education bills being proposed by ALEC this year that would instead
encourage and expand such risky data practices.

See
for example, in this list of draft ALEC bills, the “Student Achievement Backpack Act”: Though
it is promoted as “providing access” to parents of a student’s education
records from K-12, it would provide “a complete learner profile” to
schools and districts, stored on a data cloud and “managed by the State Office
of Education” which would follow “the student from school to school.” Parents
would have no authority over who accessed their children’s data but instead
this would be controlled by the state and district, who could make it available
to anyone they chose “via a web browser.”

The “Student Futures
Program Act” is even more nightmarish -- a “career planning program” that seems
designed to steer students to
appropriate jobs based upon their test scores and other academic data. An
Orwellian “Student Futures Steering Committee"
made up of individuals appointed by the Governor, would “administer and manage Student Futures in collaboration with the
Department of Workforce Services, the State Board of Regents, and the State
Board of Education.”

Then “education providers” and
businesses would be allowed access to an online website that stores the student
data, enabling them to “research and find student users” to whom they can
“promote” their programs” and “market jobs." No mention of any need
for consent, limitations on access to this data, or security or privacy
protections. In fact, the language calls for giving the Student Futures
Committee authority to "control all user data within the system.”

ALEC
is also proposing questionable bills to require states adopt “interactive”
[read: data-mining] software programs, online testing and data collection of
young children starting in Kindergarten, with innocuous titles like “Early
Intervention Program Act” and “Technology-Based Reading Intervention for
English Learners Act.”

Even
though we have up till now focused largely on the dangers represented by the
inBloom mega-data sharing project, it is impossible to ignore that a huge
number of software vendors who are eager to jump into the highly profitable
data-mining arena, with or without inBloom.

For
example, a company called Code.org,
founded by Mark Zuckerberg of Facebook fame as well as other technology
luminaries, is offering free coursework in computer programming and teacher
training to schools in return for four to six years of personal student data:

What
restrictions apply? Few if any:

Use or access to any protected data
obtained as a result of these studies will be limited to representatives with a
legitimate interest in accessing this data, which will include the Entity
Coordinator, school administrators, and other persons who are specifically
authorized by the Entity [Code.org] as having a legitimate interest in
receiving the data.

For
more on Code.org, see ValleyWag, Pando.com and this promotional
video, complete with Bill Gates, the original data pirate
himself. UPDATE: see above, Hadi Partovi is revising the privacy agreement.

Meanwhile, according to Politico, Kris
Amundson, formerly of Education Sector, a Gates-funded think tank, now at the
National Association of State Boards of Education, urged state legislators
last week "to be out in front of that [data privacy] issue before it
comes back to bite you," adding that restricting the collection of
this data is "a proxy to defeat higher standards and better testing"
and "could really have legs.”

It
will be our job as parents and advocates to ensure that the fight against
excessive personal data collection and disclosure does have legs, until the
right of parents to have their children’s information protected from data
predators is secured.

6 comments:

Anonymous
said...

Hi, can you provide some more detail about the wording you posted from Code.org. I am not seeing that wording in their TOS or Privacy Policy. Where does it come from? A few links would be appreciated. Thanks.

[in short, I suspect that ALEC is merely acting to try to pre-empt stronger bills that would actually protect student privacy, such as A.6059A and A.7872 passed by the NY State Assembly last session, and introduced this year in the Senate as S. 5932 and S. 5930]

The Senate bills were introduced the same year as the Assembly bills. And for the record, the Senate has had a student privacy bills going back to 2010/11 The Assembly's interest in student privacy was a couple of years later.

You don't like the ALEC CPO bill however you haven't commented on the CPO for Education Act.

http://educationnewyork.com/files/CPOforED-2-01.pdf

Also, I like the coding courses & not concerned about the data collected.

Here's a link to my testimony before the Assembly. The student privacy bills currently in the legislature are discussed as well as the need for a state CPO for Education backed up by Joel Reidenberg's testimony before Congress.

Thanks for posting the links, Leonie. I am not sure I am concerned about the Codign.org example. I think there is a big difference between actually signing up a school to be a 2-year "partner" v. just using the valuable resources found on their site for free and without having to supply PII. There is no such thing as a free lunch, so any school who signs up to obtain the full package of curriculum materials has to assume they will need to send something back in return. Now, what I'd add is in that case parents should be informed as to exactly what is taking place, what data needs to be sent to coding.org, etc. and an opt in/out should be presented to parents. Or, schools can simply find a different set of curriculum. Still have to dig into this a bit more as I do like the resources available from the organization, but am concerned about this "contract". Not overly concerned because it is not some state wide initiative, but somewhat concerned.

The other thing with the privacy and data collection is that they were collecting data they didn't need to collect. You know the demographics of the school why do you need it for that specific student to let them play a game for an hour?

Hadi had/has a company to build a personalized learning platform with Zuckerberg (his announcement this week makes this more interesting) and Code.org was a way to collect the data. Ashton Kutcher was also an investor. But after the privacy debacle they shelved it - or did they?

There are a lot of districts that signed an agreement with code.org who didn't have signing authority. The teacher can't sign this she's not empowered too. And what is code.org going to do if someone says they don't have time for their kids to play a game? Are they going to sue them?